Listen to this Post
How the CVE Works
CVE-2025-2377 is a stored Cross-Site Scripting (XSS) vulnerability in SourceCodester Vehicle Management System 1.0. The flaw exists in the `/confirmbooking.php` file due to improper sanitization of the `id` parameter. An attacker can inject malicious JavaScript payloads via this parameter, which are then executed when an admin or user views the affected booking entry. The vulnerability is remotely exploitable with low privileges, requiring only user-level interaction. The CVSS 4.0 score of 5.1 (MEDIUM) reflects its moderate impact due to the need for user interaction and limited scope.
DailyCVE Form
Platform: SourceCodester
Version: 1.0
Vulnerability: Stored XSS
Severity: Medium
Date: 05/14/2025
What Undercode Say:
Exploitation:
- Craft a malicious booking request with XSS payload in the `id` parameter:
POST /confirmbooking.php HTTP/1.1 Host: target.com id=<script>alert(document.cookie)</script>
- Use social engineering to trick an admin into viewing the booking.
Detection:
curl -sk "http://target.com/confirmbooking.php?id=test" | grep -q "unsafe" && echo "Vulnerable"
Mitigation:
1. Patch: Apply vendor updates.
2. Sanitize input in `/confirmbooking.php`:
$id = htmlspecialchars($_GET['id'], ENT_QUOTES, 'UTF-8');
3. Deploy a WAF with XSS filtering:
location ~ confirmbooking.php {
set $block_xss 0;
if ($args ~ "<script") { set $block_xss 1; }
if ($block_xss = 1) { return 403; }
}
Log Analysis:
grep -i "confirmbooking.php?id=" /var/log/apache2/access.log | awk '{print $1, $7}'
References:
Impact: Cookie theft, session hijacking, admin compromise.
Note: Disclose responsibly; unpatched systems are actively targeted.
End of Report
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
